Should credit unions step up to the plate in the fight against e-mail phishing, or does the responsibility belong with the individual member?
Kevin Landel, VP-technology at the $800-million California Coast Credit Union, believes credit unions need to cast their nets against phising. But other credit union executives feel that the scams aren't their problem.
After all, credit unions aren't responsible for creating or responding to the phony messages, which are designed to trick members into divulging their financial and personal information to hackers.
Yet members expect their credit unions to take the phish by the fins, according to research firm Financial Insights of Framingham, Mass.
Landel is one credit union executive who agrees with the members.
"One of the credit union industry's underlying missions is to educate members," Landel explained. "Educating members about phishing is just good business practice. We decrease our risk and increase the security of members' funds."
In addition, Landel believes credit unions themselves are targets for phishers.
Indeed, financial institutions worldwide could lose up to $400-million in fraud due to phishers this year, according to a Financial Insights report.
For example, hackers could bypass spam filters and send password scams to CU employees, said Landel. The official-looking e-mails could contain replicas of credit union logos and signatures authorizing the employee to reset their system passwords.
Reasonably sure that all is routine, employees might click on an embedded link-taking them to an external hacker site where they unwittingly disclose their employee passwords.
When Employees Get 'Hooked'
"If an employee gets hooked, then the credit union could lose member information," Landel said. "All credit unions are vulnerable and would suffer greater impact from an incident than the individual consumer."
It may seem improbable that employees would actually respond to scams. However, the Anti-Phishing Working Group (APWG) reported in July that up to 5% of recipients respond to phisher e-mails, despite consumer warnings coming from the mass media, network security providers and some financial institutions.
The APWG members, including nearly 650 financial institutions, online retailers, Internet Service Providers, the law enforcement community, and solutions providers, work to eliminate fraud and identity theft that result from phishing.
Furthermore, consumers are exposed to more phishing scams every month. The number of incidents is rising 50% per month in 2004, said the APWG in July. Phishers sent out more than 60 unique attacks each day in July, it said.
Education is the No. 1 defense against the threat, Landel continued.
Employees and members alike should not use email as a secure communication channel, he said. In addition, email users should never divulge information by clicking on embedded links-they should type website addresses directly into browser fields.
"We also tell our staff in ongoing training sessions that we will never make it easy for them to reset their passwords. Any changes will come through official, secure channels and not through e-mail."
Landel himself participates in seminars that address phishing, including "Phishing-Don't Fall Hook, Line & Sinker" presented by NACHA on Nov. 3.
"I'll also evaluate the seminar content for use in our employee education initiatives," Landel added.
Coast Central warns and gives tips against phishing to its 70,000 members on the home page of its website and in monthly newsletters.
In July, a group of 11 large financial institutions took matters into their own hands, working with the Financial Services Technology Consortium and coordinating with the APWG on a three-phase Counter-Phishing Initiative.
Landel said that he expects a credit union coalition will also surface in response to the increase in phishing.
CUJ Resources
For info on this story:
* California Coast CU at www.calcoastcu.org
* Anti-Phishing Working Group at www.antiphishing.org
* Financial Services Technology Consortium at www.fstc.org
